--- # `apply: tags:` propagates the concern tag to the INCLUDED tasks — without it a tag on # a dynamic include_tasks only selects the include itself, not its contents, so # `--tags ` would run nothing (Ansible gotcha). - name: Configure host firewall (nftables) ansible.builtin.include_tasks: file: firewall.yml apply: tags: [firewall] tags: [firewall] - name: SSH hardening ansible.builtin.include_tasks: file: ssh.yml apply: tags: [hardening] tags: [hardening] - name: Fail2ban intrusion deterrence ansible.builtin.include_tasks: file: fail2ban.yml apply: tags: [hardening] tags: [hardening] - name: NetBird mesh enrollment ansible.builtin.include_tasks: file: mesh.yml apply: tags: [mesh] when: base__mesh_enabled | bool tags: [mesh]